Microsoft reported on Thursday that Has successfully "identified and closed down" a Lebanese hacker organization that had not previously reported and suspected cooperation with the Iranian intelligence agencies Microsoft Threat Intelligence Center (mstic) has been tracking the hacker organization "polonium". In the past three months, the organization has destroyed more than 20 Israeli organizations and an intergovernmental organization operating in Lebanon, focusing on key manufacturing, it and Israeli defense industries.
In a case mentioned by Microsoft in its blog post, a cloud service provider was used to target downstream airlines and law firms after being attacked by the supply chain.
It added that polonium operators also targeted multiple victims of the invasion by muddywater apt organization. Microsoft tracked them as mercury, and the U.S. network command linked them with Iranian intelligence earlier this year.
Previously unknown hacker organizations created legitimate Microsoft onedrive accounts, and then used these accounts as command and control (C2) to perform some attacks. Microsoft researchers wrote that the observed activity had nothing to do with any security issues or vulnerabilities in onedrive.
Mstic said that there was sufficient evidence that the organization behind the attack was headquartered in Lebanon, adding that they "moderately" believed that polonium was cooperating with the Iranian Ministry of intelligence and security (mois).
Microsoft said: "the uniqueness of the victim organization indicates the integration of mission requirements with mois. This may also be evidence of the 'handover' operation mode, in which mois provides polonium with access to the previously damaged victim environment to perform new activities".
Microsoft said it successfully suspended more than 20 malicious onedrive applications created by polonium threat participants. The company added that it also notified affected organizations and deployed a series of security intelligence updates to isolate tools developed by hackers related to Iran.
At present, it is not clear how the attacker obtained the initial access to the victim's network, but Microsoft pointed out that about 80% of the infected organizations are running Fortinet devices, which is "supported by evidence, but can not be 100% sure". Polonium invaded Fortinet through a vulnerability (identified as cve-2018-13379) that has existed for at least 3 years.